A recently discovered piece of Android stalkerware can install itself persistently on the system partition and steals the file containing the hash sum for the screen unlock pattern or password to allow its operators to unlock devices.
The new threat is far more advanced than other stalkerware out there, which typically only includes functionality to transmit the victim’s current geolocation and only sometimes also packs the ability to intercept SMS and call data, Kaspersky reveals.
Referred to as MonitorMinor, the stalkerware targets communication applications to intercept victims’ conversations, including LINE, Gmail, Zalo, Instagram, Facebook, Kik, Hangouts, Viber, Hike News & Content, Skype, Snapchat, JusTalk, and BOTIM.
Given that Android sandboxes applications to prevent direct communications between them — this feature is called DAC, or Discretionary Access Control — MonitorMinor requires root access to bypass the security system and perform nefarious activities.
For that, the stalkerware requires a SuperUser-type app (SU utility) to be installed, either through malware or by the users themselves. Using the utility, MonitorMinor escalates privileges to gain full access to the targeted apps.
Once it obtains root privileges, the threat can also extract the file /data/system/gesture.key, which contains the hash sum for the screen unlock pattern or the password, which basically allows MonitorMinor operators to unlock the device when nearby or when physical access is available.
“This is the first time we have registered such a function in all our experience of monitoring mobile platform threats,” Kaspersky says.
For persistence, the stalkerware uses the acquired root access to remount the system partition to read/write mode, copy itself to it, and remount the partition to read-only mode. Thus, it ensures that users can’t easily remove it using typical OS tools.
Even if root access is not available, MonitorMinor can still engage in nefarious activities, by abusing the Accessibility Services API to intercept events in the targeted apps.
On top of that, the stalkerware includes a keylogger function implemented through the same API, which ensures that anything that the victim types on the device is sent to the cybercriminals. The clipboard is also monitored and its content forwarded to operators.
Through MonitorMinor, the attackers can control the device using SMS commands, view real-time video from the device’s cameras, record sound from the device’s microphone, view browsing history in Chrome and usage statistics for certain apps, and access the device’s internal storage, contacts list, and system log.
India is currently affected the most, with 14.71% of infections, with Mexico (11.76%), Germany, Saudi Arabia, and the UK (at around 5.88% each) rounding up top five. Kaspersky could not share with SecurityWeek an exact number of affected users.
Kaspersky’s security researchers identified a Gmail account with an Indian name in the body of MonitorMinor, suggesting that this might be its country of origin. However, they also found control panels in Turkish and English.
“MonitorMinor is superior to other stalkerware in many aspects. It implements all kinds of tracking features, some of which are unique, and is almost impossible to detect on the victim’s device. If the device has root access, its operator has even more options available. For example, they can retrospectively view what the victim has been doing on social networks,” the security firm concluded.